A newer version of this documentation is available.

View Latest

GRANT

  • reference
    +
    The GRANT statement allows granting any RBAC roles to a specific user.

    Roles can be of the following two types:

    simple

    Roles which apply generically to all keyspaces or resources in the cluster.

    For example: ClusterAdmin or BucketAdmin

    parameterized by a keyspace

    Roles which are defined for the scope of the specified keyspace only. The keyspace name is specified after ON.

    For example: DataReader ON `travel-sample`
    or Query_Select ON `travel-sample`

    Only Full Administrators can run the GRANT statement. For more details about user roles, see Authorization.

    Syntax

    grant ::= GRANT role [ ',' role ]* [ ON keyspace-ref [ ',' keyspace-ref ]* ] TO user [ ',' user ]*
    'GRANT' role ( ',' role )* ( 'ON' keyspace-ref ( ',' keyspace-ref )* )? 'TO' user ( ',' user )*
    role

    One of the RBAC role names predefined by Couchbase Server.

    The following roles have short forms that can be used as well:

    • query_selectselect

    • query_insertinsert

    • query_updateupdate

    • query_deletedelete

    user

    A user name created by the Couchbase Server RBAC system.

    Keyspace Reference

    keyspace-ref ::= keyspace-path | keyspace-partial
    keyspace-path | keyspace-partial
    keyspace-path ::= [ namespace ':' ] bucket [ '.' scope '.' collection ]
    ( namespace ':' )? bucket ( '.' scope '.' collection )?
    keyspace-partial ::= collection
    collection

    The simple name or fully-qualified name of a keyspace. Refer to the CREATE INDEX statement for details of the syntax.

    Usage

    GRANT statements support legacy systems and have two forms:

    1. Unparameterized Roles
    GRANT Replication Admin, Query External Access
       TO cchaplan, jgleason;
    
    GRANT replication_admin, query_external_access
       TO cchaplan, jgleason;
    2. Parameterized Roles
    GRANT Query Select, Views Admin
       ON orders, customers
       TO bill, linda;
    
    GRANT query_select, views_admin
       ON orders, customers
       TO bill, linda;
    Mixing of parameterized and unparameterized roles or syntax is not allowed and will create an error.

    Examples

    Example 1. Grant the role of Cluster Administrator to three people
    GRANT ClusterAdmin TO david, michael, robin;
    Example 2. Grant the roles of Cluster Administrator and Data Reader in the travel-sample keyspace to Debby
    GRANT ClusterAdmin, DataReader ON `travel-sample` TO debby;